Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 1.0.0
-
Fix Version/s: None
-
Component/s: Data Module
-
Labels:None
Description
I encountered the following exception when I'm working on Sqoop 2 to enable kerberos in the integration tests:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:212)
at org.apache.thrift.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94)
at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
at org.apache.thrift.transport.TSaslClientTransport.open(TSaslClientTransport.java:37)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:52)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport$1.run(TUGIAssumingTransport.java:49)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1628)
at org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport.open(TUGIAssumingTransport.java:49)
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.open(HiveMetaStoreClient.java:409)
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:230)
at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.<init>(HiveMetaStoreClient.java:175)
at org.kitesdk.data.spi.hive.MetaStoreUtil.<init>(MetaStoreUtil.java:82)
at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.getMetaStoreUtil(HiveAbstractMetadataProvider.java:63)
at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.resolveNamespace(HiveAbstractMetadataProvider.java:270)
at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.resolveNamespace(HiveAbstractMetadataProvider.java:255)
at org.kitesdk.data.spi.hive.HiveAbstractMetadataProvider.exists(HiveAbstractMetadataProvider.java:159)
at org.kitesdk.data.spi.filesystem.FileSystemDatasetRepository.exists(FileSystemDatasetRepository.java:257)
at org.kitesdk.data.Datasets.exists(Datasets.java:629)
at org.kitesdk.data.Datasets.exists(Datasets.java:646)
at org.apache.sqoop.connector.kite.KiteToInitializer$2.run(KiteToInitializer.java:75)
at org.apache.sqoop.connector.kite.KiteToInitializer$2.run(KiteToInitializer.java:69)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
In the Sqoop 2 scenario, all the clusters are kerberos enabled and user Sqoop2 impersonate user sqoopclient and tries to access the Hive Metastore via the kite API. While Hive Metastore only supports token based authentication for proxy user. So authentication failed.
To solve this issue, user Sqoop2 needs to create a delegation token with name such as SqoopImpersonationToken for user sqoopclient and set hive configuration hive.metastore.token.signature to SqoopImpersonationToken.
But kite currently neither expose the configuration object nor provide other ways to set a specific configuration. I think this issue also exists for other projects which need to access hive dataset using kite with an impersonation user in kerberos environment. Not sure if it would make sense for kite to expose the configuration object or provide an interface to set a specific configuration?